"GwisinLocker Ransomware Targets Linux Systems in South Korea"

Researchers at ReversingLabs discovered a new ransomware family targeting Linux-based systems in South Korea.  Dubbed GwisinLocker, the malware was detected by researchers on July 19 while undertaking successful campaigns targeting firms in the industrial and pharmaceutical space.  The researchers stated that in those incidents, the adversaries often launched attacks on public holidays and during the early morning hours (Korean time), looking to take advantage of periods in which staffing and monitoring within target environments were relaxed.  The researchers stated that GwisinLocker is a new malware variant created by a previously little-known threat actor called "Gwisin" (a Korean term for ghost or spirit).  The researchers noted that in communications with its victims, the Gwisin group claims to have deep knowledge of their network and claims that they exfiltrated data.  Regarding details of the payment system behind the ransomware, researchers noted that victims are required to log into a portal operated by the group and establish private communications channels for completing ransom payments.  As a result, little is known about the payment method used and/or cryptocurrency wallets associated with the group.  The researchers stated that because of familiarity with the Korean language and with the South Korean government and law enforcement forces,  Gwisin might be a North Korean-linked advanced persistent threat (APT) group. 
 

Infosecurity reports: "GwisinLocker Ransomware Targets Linux Systems in South Korea"